What Is the DCSA National Industrial Security Program?
The National Industrial Security Program (NISP) is the framework established by Executive Order 12829 under which the U.S. government protects classified information held by cleared defense contractors. The Defense Counterintelligence and Security Agency (DCSA) โ formed in 2020 from the merger of DSS and part of DCIO โ administers NISP on behalf of over 13,000 cleared facilities across the defense industrial base.
Unlike CMMC (which governs CUI handling under DoD contracts), NISP governs the handling of classified information โ material marked Secret, Top Secret, or Sensitive Compartmented Information (SCI). If your company performs work on classified contracts or stores classified material, NISP compliance is mandatory, not optional.
CMMC and NISP serve different purposes and apply to different information types. CMMC covers CUI (Controlled Unclassified Information) under DoD's cybersecurity program. NISP covers classified information under DCSA's industrial security program. If you handle both CUI and classified information, you need both programs. DefenseBizStack covers both: see the CMMC Phase 2 guide for the cybersecurity side and this guide for the classified side.
DCSA's role includes:
- Adjudicating facility clearance (FCL) requests for cleared contractors
- Monitoring cleared facilities through Industrial Security Representatives (ISRs)
- Managing FOCI (Foreign Ownership, Control, or Influence) determinations and mitigation agreements
- Operating the DCSA Portal (eFCL, NISS, and other systems)
- Conducting facility inspections and vulnerability assessments
- Providing guidance via the NISP Operating Manual (NISPOM)
This guide was authored with AI assistance. DCSA NISP requirements are complex, facility-specific, and subject to DCSA policy updates. All guidance should be verified with your assigned Industrial Security Representative (ISR) and against the current NISPOM at dcsa.mil.
Facility Clearance Tiers
Facility Clearance (FCL) is the approval granted to a contractor to access classified information. FCL is granted at one of four levels, each authorizing access to a corresponding level of classified information. The clearance is issued to the facility, not to individuals โ individual personnel need their own Personnel Clearance (PCL) in addition to working at a cleared facility.
The first step in NISP compliance is determining the clearance level your facility needs, based on the classified work you perform or expect to perform.
| FCL Level | Access Authorization | Typical Use Cases | Eligibility Requirement |
|---|---|---|---|
| Confidential / Secret | Level 1 โ Confidential | Day-to-day classified contract work at the Secret or lower level. Most common FCL for subcontractors and vendors. | U.S. citizenship for key managers; no disqualifying foreign influence; CAGE code required |
| Secret | Level 2 โ Secret | Contracts involving Secret classified information. Common across defense manufacturing, IT, and engineering. | Same as Level 1; FOCI determination required if any foreign ownership exists |
| Top Secret | Level 3 โ Top Secret | Programs requiring access to Top Secret or "Secret with Special Access" information. Requires more extensive vetting. | Enhanced vetting of key managers; additional background investigation; possible FOCI SPA or Proxy Agreement |
| SCI (Special Access Programs) | Level 4 โ SCI Access | Most sensitive intelligence and special access programs. Requires separate compartmented access in addition to Top Secret FCL. | Top Secret eligibility prerequisite; SAP-specific eligibility adjudication; additional sensitivity review |
The SF-328 โ Certificate Pertaining to Foreign Interests
The Standard Form 328 (SF-328) is the mandatory form submitted with every Facility Clearance request. It captures information about the company's ownership structure, foreign affiliations, foreign nationals, and any existing or past relationships with foreign entities.
DCSA uses the SF-328 to assess FOCI risk before granting facility clearance. Incomplete or inaccurate SF-328 submissions are one of the top reasons for FCL processing delays. Companies with any foreign ownership โ including passive investment, board members, or joint venture partners from foreign countries โ must disclose this on the SF-328, even if it seems minor.
Facility Clearance (FCL) is company-level โ it authorizes the cleared facility to receive and handle classified information. Personnel Clearance (PCL) is individual-level โ it authorizes a specific person to access classified information. Both are required for an individual to work on classified contracts. The facility must have FCL at or above the level of the individual's PCL.
How to Apply for Facility Clearance
- Obtain a CAGE code from SAM.gov if you don't already have one โ required for all DCSA submissions
- Register in the DCSA Portal (see the DCSA Portal Onboarding section below)
- Complete SF-328 โ disclose all foreign ownership, control, influence, and foreign national involvement
- Submit via eFCL in the DCSA Portal โ your ISR will review and route for adjudication
- Complete FOCI determination if foreign interests are present (see FOCI section)
- Receive FCL letter โ typically 60โ120 days for new applications; existing companies moving from DSS may be faster
FOCI Mitigations
Foreign Ownership, Control, or Influence (FOCI) exists when a foreign person or entity holds a certain percentage of ownership, controls the company through debt or governance rights, or otherwise exerts influence over the company's decisions related to classified information. FOCI does not automatically disqualify a company from receiving facility clearance โ but it must be identified, assessed, and mitigated through an approved instrument.
DCSA uses a tiered approach: low-level FOCI may be eligible for a mitigated determination without a formal agreement, while higher-level FOCI requires a formal mitigation instrument approved by DCSA and the relevant Cognizant Security Agency (CSA).
FOCI Categories and Mitigation Instruments
| FOCI Level | Mitigation Required | Governance Impact | Approval Body |
|---|---|---|---|
| No FOCI / Mitigated (Low) | None required โ determination letter issued | No restrictions | DCSA ISR |
| Single Principal FOCI | Letter of Understanding and Assurance (LOUA) โ mitigates influence from a single foreign person or entity | Minimal โ board reporting and ISR notification requirements | DCSA |
| Proxy Agreement (PA) | Proxy Agreement โ U.S. citizen proxy makes all FCL-related decisions independently of foreign interest | Significant โ proxy controls board and executive decisions; foreign owner has no access to classified work decisions | DCSA + CSA (if applicable) |
| Special Security Agreement (SSA) | SSA โ for companies with substantial foreign investment (typically >5% voting interest from foreign sources in some cases) | Governance Committee (GC) required; GC approves all access to classified; foreign owner excluded from GC and classified decisions | DCSA + CSA |
| Restructured Proxy Agreement | Restructured PA โ modified version for technology companies with complex ownership structures | Similar to standard PA with modifications for tech sector | DCSA |
| Board Resolution / Other Mitigation | Board resolution or other instrument for specific FOCI scenarios (e.g., foreign national employees in non-sensitive roles) | Varies by instrument | DCSA ISR |
Proxy Agreement
The Proxy Agreement is the most common formal FOCI mitigation instrument for companies with direct foreign ownership or control. Under a Proxy Agreement, a U.S. citizen proxy โ often a senior executive with no financial ties to the foreign owner โ is granted sole authority to make all decisions related to the company's facility clearance, classified contracts, and security policies.
The foreign owner is effectively walled off from any classified information decisions. The proxy must:
- Be a U.S. citizen with no financial relationship to the foreign owner
- Have authority to direct the company's FCL-related decisions independently
- Report to DCSA and the ISR on FCL matters without foreign owner interference
- Maintain documentation proving proxy independence in all classified-related decisions
Special Security Agreement (SSA)
The Special Security Agreement is used when a company has foreign investment that creates FOCI but where a full Proxy Agreement is not the best fit โ often for companies with multiple foreign investors or complex governance structures. Under an SSA, a Governance Committee (GC) composed of cleared U.S. citizens makes all decisions about classified access and FCL matters. Foreign owners are excluded from the GC and from any role in classified program decisions.
The SSA requires:
- A GC of at least three cleared U.S. citizens (five for SCI-cleared companies)
- GC decisions on all classified access, facility clearance matters, and contractor program participation
- Annual GC compliance certifications submitted to DCSA
- No foreign national access to classified information without a separately approved exception
Foreign ownership exists in many defense contractors through institutional investors, venture capital, or strategic partnerships. FOCI is assessed routinely by DCSA and is manageable with the right mitigation instrument. The problem is when companies fail to disclose it. An undisclosed FOCI finding after a facility clearance is granted can result in immediate suspension of FCL and referral for counterintelligence review. Disclose early, mitigate properly.
NISPOM Requirements โ What Every Cleared Facility Must Do
The NISP Operating Manual (NISPOM) (32 CFR Part 117, formerly 32 CFR Part 2004) is the authoritative guide to industrial security requirements. Chapter 8 of NISPOM establishes the security requirements that cleared facilities must meet. Key obligations include:
Information Systems Security
Companies that process classified information on IT systems must implement controls consistent with the appropriate security manual (RMP for collateral, ICD 703 for SCI). This includes:
- Configuration management and accreditation of classified systems
- Access control โ need-to-know basis, role-based access, regular access reviews
- Audit logging and monitoring โ retaining logs for the period required by the applicable security manual
- Media protection โ classified media must be stored in approved containers, logged, and inventoried regularly
- Incident reporting โ any compromise or suspected compromise of classified information must be reported to DCSA within prescribed timeframes
Personnel Security
- All employees with access to classified information must have a Personnel Clearance (PCL) or be under supervision by someone with PCL
- Security briefings for all personnel granted access to classified information
- Regular refresher briefings (typically annual)
- Reporting requirements โ changes in personal circumstances that could affect clearance eligibility (foreign travel, foreign contacts, financial issues)
Physical Security
- Approved storage containers for classified material (TL-rated safes, GSA-approved containers)
- Visitor control procedures โ escorts for uncleared visitors in areas where classified information is accessible
- Contraband procedures โ prohibition of unauthorized personal electronic devices in classified areas
- Security-in-depth: perimeter controls, intrusion detection, alarm monitoring
Security Training and Briefings
All cleared employees must complete initial security awareness training before accessing classified information and annual refresher training thereafter. Records of all training must be maintained.
Classified Contract Handling
Classified contracts involve the creation, handling, storage, and transmission of classified information. The process starts with the contract award package and extends through contract completion and the classified information disposition phase.
DD Form 254 โ The Classified Contract Security Requirements Document
The DD Form 254 (Contract Security Classification Specification) is the mandatory document attached to every classified contract. It specifies the classification level and categories of classified information the contractor will access, the security requirements the contractor must meet, and any special handling instructions. The contractor must acknowledge receipt of the DD Form 254 before classified work begins.
| DD Form 254 Section | What It Covers | Contractor Action |
|---|---|---|
| Part I โ Classification | Levels and categories of classified info (e.g., Secret // NOFORN) | Verify facility FCL matches required level; confirm your FCL scope covers the categories listed |
| Part II โ Requirements | Specific security requirements (IT systems, facilities, personnel) | Review against your current security posture; identify gaps before contract start |
| Part III โ Subcontracting | Requirements for subcontractor FCL and DD Form 254 flow-down | Ensure all subcontracts involving classified information include a DD Form 254 and FCL verification |
| Part IV โ DDTC / Other Agency Requirements | Special requirements from other agencies (e.g., DDTC for ITAR-related classified) | Coordinate with applicable agency on additional requirements; don't assume NISPOM alone is sufficient |
Classified Subcontracting Flow-Downs
Prime contractors are responsible for ensuring that classified requirements are properly flowed to subcontractors. For every subcontract involving classified information, the prime must:
- Include a DD Form 254 with the subcontract award
- Verify the subcontractor has an appropriate FCL (or apply for one on their behalf)
- Confirm the subcontractor's FOCI status is resolved or mitigated
- Maintain visibility into the subcontractor's security compliance throughout the contract period
Many classified contracts involving defense articles also trigger ITAR (International Traffic in Arms Regulations) obligations. ITAR classified contracts require coordination between DCSA (NISP) and DDTC (Directorate of Defense Trade Controls) requirements. See DefenseBizStack's full ITAR Compliance for Manufacturers guide for export control requirements that run alongside your NISP obligations.
Contract Completion and Classified Information Disposition
When a classified contract ends, classified information must be properly dispositioned โ returned to the government, destroyed, or transferred to another cleared facility under authorization. NISPOM specifies requirements for:
- Classified material inventory and accountability โ all classified must be accounted for at contract close
- Destruction certificates โ documenting the destruction of classified material using approved methods
- Transfer of custody โ material moving to another facility requires a DD Form 209 (Classified Material Transmittal form)
- Long-term storage โ if classified material must be retained after contract close, a separate storage agreement is required
DCSA Portal Onboarding
The DCSA Portal (at dcsa.mil) is the central system for all facility-level interactions with DCSA. It replaced the legacy DSS systems (e.g., eQIP, eFCL) and provides a unified interface for FCL management, reporting, training records, and ISR communications.
Getting Access to the DCSA Portal
Registration requires establishing an account and role-based access for your company's cleared facility:
- Identify your Facility Security Officer (FSO) โ the primary point of contact with DCSA; must be a U.S. citizen with appropriate clearance
- Create a DCSA Portal account at dcsa.mil using your company CAGE code and DUNS number
- Complete Identity Proofing (IDP) โ remote identity verification process required for all portal users with access to classified information
- Request role-based access โ FSO, ISSO, Document Control, Visitor Control, and other roles each have separate access requests
- Wait for ISR approval โ your assigned ISR approves role access requests; typical processing 5โ10 business days
- Complete FSO training โ DCSA requires FSO training completion within 90 days of appointment (FSO Level 1 and Level 2 training courses)
The DCSA Portal houses several subsystems you will use regularly: eFCL for facility clearance applications and status tracking; NISS (National Industrial Security System) for incident reporting and security reporting; STEPP for security training tracking; and the classified contract portal for DD Form 254 management and classified contract reporting.
Ongoing DCSA Portal Obligations
Once onboarded, your company must maintain active portal access and submit required reports:
| Report / Activity | Frequency | Portal System |
|---|---|---|
| Annual Self-Inspection | Annually (within 12 months of FCL grant, then each year) | NISS / eFCL |
| Key Manager Change Notification | Within 30 days of any key manager change | eFCL |
| FOCI Status Change Notification | Immediately upon any change in foreign ownership or control | eFCL (amended SF-328) |
| Security Incident Report | Per NISPOM timelines (often 24โ72 hours for serious incidents) | NISS |
| Visitor Control / Foreign Visit Authorization | Prior to each foreign national visit involving classified access | DCSA Portal Visitor module |
| Security Training Records | Updated within 30 days of any training completion | STEPP |
| Classified Material Accountability | Ongoing โ inventory checks quarterly, annual full inventory | NISS (media accountability module) |
Step-by-Step NISP Compliance Roadmap
Whether you're seeking initial facility clearance or maintaining an existing FCL, here's a practical roadmap for staying compliant with DCSA NISP requirements.
-
1
Identify Your FCL Requirement
Review your current and anticipated classified contracts to determine the clearance level needed. If you don't yet have classified contracts but anticipate them, apply for FCL proactively โ processing takes 60โ120 days for new applications.
-
2
Complete the SF-328 and Assess FOCI
Before submitting your FCL application, complete the SF-328 and have your legal/ownership team review for any FOCI triggers. If FOCI is present, consult with DCSA on the appropriate mitigation instrument before submitting โ this avoids processing delays.
-
3
Onboard to the DCSA Portal
Appoint an FSO and register for DCSA Portal access. Complete IDP for all users who will access classified information systems. Request ISSO appointment if you will process classified on IT systems.
-
4
Build Your Security Program
Develop your security plan per NISPOM Chapter 8. This includes physical security controls, classified system accreditation, visitor control procedures, and the appointment of key security staff (FSO, ISSO, courier personnel).
-
5
Process Your First Classified Contract
Review the DD Form 254 carefully before signing. Verify your FCL scope covers the required levels and information categories. Establish secure facilities and media accountability procedures before receiving classified material.
-
6
Maintain Ongoing Compliance
Complete annual self-inspections, report key manager and FOCI changes promptly, keep training records current in STEPP, and prepare for ISR periodic reviews. DCSA ISR visits typically occur every 12โ18 months for active cleared facilities.
Maintaining NISP Compliance After Clearance
Receiving facility clearance is the starting point, not the finish line. DCSA conducts ongoing oversight through your Industrial Security Representative (ISR) and requires continuous compliance across several areas:
ISR Visits and Inspections
Your assigned ISR will conduct periodic facility inspections โ typically annual for new or high-risk facilities, biennial for stable, lower-risk cleared facilities. Inspections review physical security, information systems security, personnel security practices, and FCL record-keeping. Preparation for ISR visits should be ongoing, not last-minute.
Annual Self-Inspection
Every cleared facility must complete an annual self-inspection and submit the results via the DCSA Portal. The self-inspection verifies continued compliance with all applicable NISPOM requirements and provides DCSA with a compliance status overview without requiring an on-site visit.
Key Personnel Requirements
Changes in key managers โ FSO, CEO, or other senior leadership โ must be reported to DCSA within 30 days. New key managers must complete background investigation requirements and in some cases may require DCSA approval before assuming their role in a cleared facility.
FOCI Monitoring
If your FOCI is mitigated through a formal agreement (Proxy Agreement, SSA, etc.), you have ongoing obligations including annual compliance certifications, governance committee meeting records, and reporting of any changes to the foreign ownership structure. Failure to maintain these obligations can trigger FCL suspension.
DCSA NISP compliance is a year-round commitment, not a one-time event. The key to smooth operations: a proactive FSO, current DCSA Portal access, a clean SF-328, a clear FOCI mitigation plan if applicable, and documented evidence of ongoing compliance for every ISR visit. Start your DCSA Portal onboarding early, maintain your annual self-inspection schedule, and report changes before they become problems.
How DefenseBizStack Helps With NISP Compliance
DefenseBizStack provides tools and guidance that support your NISP compliance journey โ from initial FCL application preparation through ongoing facility maintenance.
| Tool / Resource | NISP Use Case |
|---|---|
| DCSA NISP Compliance Guide | This guide โ comprehensive coverage of FCL tiers, FOCI mitigations, classified contracts, and DCSA Portal onboarding. |
| ITAR Compliance Guide | Complementary coverage of ITAR export controls that often run alongside classified NISP requirements โ especially relevant for companies with both classified contracts and ITAR-controlled defense articles. |
| CMMC Phase 2 Compliance Guide | CUI cybersecurity requirements that run alongside your NISP obligations. Many classified facilities also handle CUI and need both programs. |
| SPRS Score Calculator | Assesses your NIST 800-171 posture โ a key component of DFARS compliance that DCSA and CMMC both reference for contractor cybersecurity readiness. |
| NIST 800-171 Compliance Guide | Detailed control-by-control guidance for NIST 800-171, which forms the cybersecurity baseline expected by DCSA for facilities handling both CUI and classified information. |
Stay Compliant Across Defense Regulations
DefenseBizStack covers DCSA NISP, CMMC Phase 2, ITAR, and all the major defense compliance frameworks in one place. Start free โ no account required.
Explore DefenseBizStack โ[AI-GENERATED] Content generated with AI assistance. DCSA NISP requirements are subject to change. Verify all regulatory claims against current DCSA policy at dcsa.mil and consult your assigned Industrial Security Representative (ISR) before making compliance decisions.